github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-03-20 16:24:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

corrected looping in determineCPE()

Browse Source 
Former-commit-id: 329f20687223f38273b2e23601b05fcea2b9122f
This commit is contained in:
Jeremy Long
2014-09-06 06:37:12 -04:00
parent e72e2c6a02
commit fec53b3951
1 changed files with 15 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -172,14 +172,20 @@ public class CPEAnalyzer implements Analyzer {
protected void determineCPE(Dependency dependency) throws CorruptIndexException, IOException, ParseException { protected void determineCPE(Dependency dependency) throws CorruptIndexException, IOException, ParseException {
Confidence confidence = Confidence.HIGHEST; Confidence confidence = Confidence.HIGHEST;
String vendors = addEvidenceWithoutDuplicateTerms("", dependency.getVendorEvidence(), confidence); String vendors = "";
String products = addEvidenceWithoutDuplicateTerms("", dependency.getProductEvidence(), confidence); String products = "";
/* bug fix for #40 - version evidence is not showing up as "used" in the reports if there is no for (Confidence l : Confidence.values()) {
* CPE identified. As such, we are "using" the evidence and ignoring the results. */ if (dependency.getVendorEvidence().contains(confidence)) {
addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence); vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), confidence);
}
int ctr = 0; if (dependency.getProductEvidence().contains(confidence)) {
do { products = addEvidenceWithoutDuplicateTerms(products, dependency.getProductEvidence(), confidence);
}
/* bug fix for #40 - version evidence is not showing up as "used" in the reports if there is no
* CPE identified. As such, we are "using" the evidence and ignoring the results. */
if (dependency.getVersionEvidence().contains(confidence)) {
addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence);
}
if (!vendors.isEmpty() && !products.isEmpty()) { if (!vendors.isEmpty() && !products.isEmpty()) {
final List<IndexEntry> entries = searchCPE(vendors, products, dependency.getProductEvidence().getWeighting(), final List<IndexEntry> entries = searchCPE(vendors, products, dependency.getProductEvidence().getWeighting(),
dependency.getVendorEvidence().getWeighting()); dependency.getVendorEvidence().getWeighting());
@@ -193,18 +199,7 @@ public class CPEAnalyzer implements Analyzer {
} }
} }
confidence = reduceConfidence(confidence); confidence = reduceConfidence(confidence);
if (dependency.getVendorEvidence().contains(confidence)) { }
vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), confidence);
}
if (dependency.getProductEvidence().contains(confidence)) {
products = addEvidenceWithoutDuplicateTerms(products, dependency.getProductEvidence(), confidence);
}
/* bug fix for #40 - version evidence is not showing up as "used" in the reports if there is no
* CPE identified. As such, we are "using" the evidence and ignoring the results. */
if (dependency.getVersionEvidence().contains(confidence)) {
addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence);
}
} while ((++ctr) < 4);
} }
/** /**